Symantec says all the clues point to Longhorn’s tools being ones included in WikiLeaks file dump
Symantec says tools described in Vault 7 documents leaked by WikiLeaks have been used against 40 targets in 16 countries in cyberattacks by an organisation previously known as ‘Longhorn’.
Vault 7 of the WikiLeaks dump consisted mainly of tools used by the CIA to penetrate smartphones and other devices such as routers, smart TVs and PCs.
Researchers have been tracking Longhorn since 2014 when they discovered an attack involving a zero day exploit and a backdoor known as ‘Plexor’. There is evidence to suggest the group has been active since 2011 and some early activity was noted in 2007.
The highly sophisticated nature of the tools, the targets (government and international agencies, major industries such as utilities, finance and telecoms) and working patterns led Symantec to conclude Longhorn was a hacking collective from a North American, English speaking country.
On one occasion a computer in the US was accessed, but the fact an uninstaller was launched just hours later has led to the belief this was a mistake.
“Prior to the Vault 7 leak, Symantec’s assessment of Longhorn was that it was a well-resourced organisation which was involved in intelligence gathering operations,” said Symantec.
“This assessment was based on its global range of targets and access to a range of comprehensively developed malware and zero-day exploits. The group appeared to work a standard Monday to Friday working week, based on timestamps and domain name registration dates, behaviour which is consistent with state-sponsored groups.”
Documents outlined the specifications for malware tools, along with roadmaps and timestamps that share the same development trajectory as Longhorn’s methods. For example, a piece of software described in the leak called ‘Fluxwire’ is the same as Longhorn’s ‘Trojan.Corentry’.
Moreover there are similarities in cryptography, command and control communications and other practices.
“The tools used by Longhorn closely follow development timelines and technical specifications laid out in documents disclosed by WikiLeaks,” added Symantec.
“The Longhorn group shares some of the same cryptographic protocols specified in the Vault 7 documents, in addition to following leaked guidelines on tactics to avoid detection. Given the close similarities between the tools and techniques, there can be little doubt that Longhorn’s activities and the Vault 7 documents are the work of the same group.”
WikiLeaks has said it will work with manaufacturers to close the fixes for the vulnerabilities exposed in the file dump and give them “exclusive access” to some documents before disclosing more information.